The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

This Is A Spammer Atack ?

Discussion in 'General Discussion' started by Alexandre Duran, Dec 28, 2004.

  1. Alexandre Duran

    Alexandre Duran Well-Known Member

    Joined:
    May 6, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Rio de Janeiro - BRAZIL
    Hi,

    One of my servers is down every 2-3 hours.
    I found towsands of this entries in my exim logs:

    2004-12-28 14:57:57 H=(adsl-68-252-254-67.dsl.chcgil.ameritech.net) [68.252.254.67] F=<R4667474b@globo.com> temporarily rejected RCPT <aida@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow aida@ribeiro in "aida@ribeiro@satcompany.com.br"
    2004-12-28 14:57:57 H=(adsl-68-252-254-67.dsl.chcgil.ameritech.net) [68.252.254.67] F=<R4667474b@globo.com> temporarily rejected RCPT <mofer@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow mofer@ribeiro in "mofer@ribeiro@satcompany.com.br"
    2004-12-28 14:57:58 H=(adsl-68-252-254-67.dsl.chcgil.ameritech.net) [68.252.254.67] F=<R4667474b@globo.com> temporarily rejected RCPT <riva@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow riva@ribeiro in "riva@ribeiro@satcompany.com.br"
    2004-12-28 14:57:58 H=(adsl-68-252-254-67.dsl.chcgil.ameritech.net) [68.252.254.67] F=<R4667474b@globo.com> temporarily rejected RCPT <estevao@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow estevao@ribeiro in "estevao@ribeiro@satcompany.com.br"
    2004-12-28 14:57:58 H=(adsl-68-252-254-67.dsl.chcgil.ameritech.net) [68.252.254.67] F=<R4667474b@globo.com> temporarily rejected RCPT <josival@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow josival@ribeiro in "josival@ribeiro@satcompany.com.br"

    The domain satcompany.com.br exist in this server, but not these satcompany.com.br´s users.

    This is a SPAMMER atack ?
    I am block the ip 68.252.254.67, but the atack return with other and other and other ips....
     
  2. Alexandre Duran

    Alexandre Duran Well-Known Member

    Joined:
    May 6, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Rio de Janeiro - BRAZIL
    More:

    2004-12-28 15:08:45 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<O240562y@globo.com> temporarily rejected RCPT <mcintra@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow mcintra@ribeiro in "mcintra@ribeiro@satcompany.com.br"
    2004-12-28 15:08:45 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<O240562y@globo.com> temporarily rejected RCPT <marilza@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow marilza@ribeiro in "marilza@ribeiro@satcompany.com.br"
    2004-12-28 15:08:46 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<O240562y@globo.com> temporarily rejected RCPT <ozzy@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow ozzy@ribeiro in "ozzy@ribeiro@satcompany.com.br"
    2004-12-28 15:08:46 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<O240562y@globo.com> temporarily rejected RCPT <manfred@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow manfred@ribeiro in "manfred@ribeiro@satcompany.com.br"
    2004-12-28 15:08:47 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<O240562y@globo.com> temporarily rejected RCPT <carlos.rocha@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow carlos.rocha@ribeiro in "carlos.rocha@ribeiro@satcompany.com.br"
    2004-12-28 15:08:47 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<O240562y@globo.com> temporarily rejected RCPT <politica@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow politica@ribeiro in "politica@ribeiro@satcompany.com.br"
    2004-12-28 15:08:47 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<O240562y@globo.com> temporarily rejected RCPT <hpedro@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow hpedro@ribeiro in "hpedro@ribeiro@satcompany.com.br"
    2004-12-28 15:08:48 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<O240562y@globo.com> temporarily rejected RCPT <mercedes@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow mercedes@ribeiro in "mercedes@ribeiro@satcompany.com.br"
    2004-12-28 15:08:52 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<B714158p@bol.com.br> temporarily rejected RCPT <fborges@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow fborges@ribeiro in "fborges@ribeiro@satcompany.com.br"
    2004-12-28 15:08:53 H=(cm-vtr-133-145.cm.vtr.net) [200.120.133.145] F=<B714158p@bol.com.br> temporarily rejected RCPT <sabreu@satcompany.com.br>: error in redirect data: malformed address: @satcompany.com.br may not follow sabreu@ribeiro in "sabreu@ribeiro@satcompany.com.br"

    This is all over the time.
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It's almost certainly spam. The problem is that they're sending emails to you with invalid (non RFC compliant) addressees and exim is baulking (as it should). I'd be surprised if this would cause your server to go down, unless the load on exim is extremely high.

    First, I'd recommend installing a dictionary attack ACL, such as:
    http://www.webumake.com/free/eximdeny.htm

    If that doesn't help, then you might need to start looking at the various exim rate limiting parameters to slow down incoming traffic, though these could impact your other domains.
     
  4. Alexandre Duran

    Alexandre Duran Well-Known Member

    Joined:
    May 6, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Rio de Janeiro - BRAZIL
    Thanks a lot Chirpy ! :D
    Happy New Year ! ;)
     
  5. Alexandre Duran

    Alexandre Duran Well-Known Member

    Joined:
    May 6, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Rio de Janeiro - BRAZIL
    Nope.. Dont work.
    I have made something wrong ?


    #!!# ACL that is used after the RCPT command
    check_recipient:
    # Exim 3 had no checking on -bs messages, so for compatibility
    # we accept if the source is local SMTP (i.e. not over TCP/IP).
    # We do this by testing for an empty sending host field.
    accept hosts = :

    drop hosts = /etc/exim_deny
    message = Connection denied after dictionary attack
    log_message = Connection denied from $sender_host_address after dictionary attack

    drop message = Appears to be a dictionary attack
    log_message = Dictionary attack (after $rcpt_fail_count failures)
    condition = ${if > {${eval:$rcpt_fail_count}}{3}{yes}{no}}
    condition = ${run{/etc/exim_deny.pl $sender_host_address }{yes}{no}}
    !verify = recipient
    #if it gets here it isn't mailman

    #sender verifications are required for all messages that are not sent to lists

    require verify = sender
    accept domains = +local_domains
    endpass

    #recipient verifications are required for all messages that are not sent to the local machine
    #this was done at multiple users requests

    message = "The recipient cannot be verified. Please check all recipients of this message to verify they are valid."
    verify = recipient

    accept domains = +relay_domains

    warn message = ${perl{popbeforesmtpwarn}{$sender_host_name}}
    hosts = +relay_hosts
    accept hosts = +relay_hosts

    warn message = ${perl{popbeforesmtpwarn}{$sender_host_address}}
    condition = ${perl{checkrelayhost}{$sender_host_address}}
    accept condition = ${perl{checkrelayhost}{$sender_host_address}}

    accept hosts = +auth_relay_hosts
    endpass
    message = $sender_fullhost is currently not permitted to \
    relay through this server. Perhaps you \
    have not logged into the pop/imap server in the \
    last 30 minutes or do not have SMTP Authentication turned on in your email client.
    authenticated = *

    deny message = $sender_fullhost is currently not permitted to \
    relay through this server. Perhaps you \
    have not logged into the pop/imap server in the \
    last 30 minutes or do not have SMTP Authentication turned on in your email client.


    #!!# ACL that is used after the DATA command
    check_message:
    require verify = header_sender
    accept
     
  6. Alexandre Duran

    Alexandre Duran Well-Known Member

    Joined:
    May 6, 2003
    Messages:
    61
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    Rio de Janeiro - BRAZIL
    Sorry, i found the error.
    It is ok right now. :cool:
     
  7. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    Great! Is it actually helping with the problem? I was unsure whether it would in your circumstances or not.
     

Share This Page